Security update for pdns-recursor SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2018:0953-1 Final 1 1 2018-04-16T15:14:46Z current 2018-04-16T15:14:46Z 2018-04-16T15:14:46Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for pdns-recursor This update for pdns-recursor fixes the following issues: - update to 4.1.2 - New Features - #6344: Add FFI version of gettag(). - Improvements - #6298, #6303, #6268, #6290: Add the option to set the AXFR timeout for RPZs. - #6172: IXFR: correct behavior of dealing with DNS Name with multiple records and speed up IXFR transaction (Leon Xu). - #6379: Add RPZ statistics endpoint to the API. - Bug Fixes - #6336, #6293, #6237: Retry loading RPZ zones from server when they fail initially. - #6300: Fix ECS-based cache entry refresh code. - #6320: Fix ECS-specific NS AAAA not being returned from the cache. - update to version 4.1.1: + Fixes security vulnerability where man-in-the-middle to send a NXDOMAIN answer for a DNSSEC name that does exist. (boo#1077154, CVE-2018-1000003) + Don't validate signature for 'glue' CNAME, since anything else than the initial CNAME can’t be considered authoritative. - update to version 4.0.7: (boo#1069242) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2018-364 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1069242 SUSE Bug 1069242 https://bugzilla.suse.com/1077154 SUSE Bug 1077154 https://www.suse.com/security/cve/CVE-2018-1000003/ SUSE CVE CVE-2018-1000003 page SUSE Package Hub 12 SP1 pdns-recursor-4.1.2-5.1 pdns-recursor-4.1.2-5.1 as a component of SUSE Package Hub 12 SP1 Improper input validation bugs in DNSSEC validators components in PowerDNS version 4.1.0 allow attacker in man-in-the-middle position to deny existence of some data in DNS via packet replay. CVE-2018-1000003 SUSE Package Hub 12 SP1:pdns-recursor-4.1.2-5.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-1000003.html CVE-2018-1000003 https://bugzilla.suse.com/1077154 SUSE Bug 1077154